<html>
<head><meta charset="utf-8"><title>Cargo.toml dependency updates? · general · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/index.html">general</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Cargo.2Etoml.20dependency.20updates.3F.html">Cargo.toml dependency updates?</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="221223014"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Cargo.toml%20dependency%20updates%3F/near/221223014" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Sean Klein <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Cargo.2Etoml.20dependency.20updates.3F.html#221223014">(Dec 30 2020 at 16:07)</a>:</h4>
<p>Hey all, I keep on finding myself with a bunch of rust projects that have dependencies which need updating.</p>
<p>How do ya'll stay on top of updates? I know semantic versioning is supposed to imply "everything but the major version should be updateable", but do any tools exist to...</p>
<ul>
<li>Update minor/patch versions automatically (validating correctness against, e.g., "cargo build/test")?</li>
<li>Identify that a major version change exists, and could be upgraded (but would need to be done so manually)?</li>
</ul>
<p>I'm interested in playing around with cargo metadata to make something that helps, but I don't want to re-invent the wheel if a tool exists to do this already!</p>



<a name="221223184"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Cargo.toml%20dependency%20updates%3F/near/221223184" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nagisa <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Cargo.2Etoml.20dependency.20updates.3F.html#221223184">(Dec 30 2020 at 16:09)</a>:</h4>
<p>You sure you want to update minor/patch versions in <code>.toml</code> at all? <code>cargo update</code> will regenerate the lockfile fwiw.</p>



<a name="221223277"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Cargo.toml%20dependency%20updates%3F/near/221223277" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nagisa <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Cargo.2Etoml.20dependency.20updates.3F.html#221223277">(Dec 30 2020 at 16:10)</a>:</h4>
<p><a href="https://github.com/kbknapp/cargo-outdated">https://github.com/kbknapp/cargo-outdated</a> can answer the 2nd</p>



<a name="221223872"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Cargo.toml%20dependency%20updates%3F/near/221223872" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Sean Klein <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Cargo.2Etoml.20dependency.20updates.3F.html#221223872">(Dec 30 2020 at 16:15)</a>:</h4>
<p>I guess I've always been scared to specify more liberal dependency versions, like "foo = '1'" instead of "foo = '1.x.y'", because I've been bitten by semantic versioning for API stability not being entirely true in the past. I suppose the recommended way to avoid that would be to use a lockfile + "cargo build --frozen", and use cargo update, as you suggested?</p>



<a name="221223916"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Cargo.toml%20dependency%20updates%3F/near/221223916" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Sean Klein <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Cargo.2Etoml.20dependency.20updates.3F.html#221223916">(Dec 30 2020 at 16:16)</a>:</h4>
<p>The "cargo-outdated" tool looks rad though, definitely going to take a look at that!</p>



<a name="221223925"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Cargo.toml%20dependency%20updates%3F/near/221223925" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Cargo.2Etoml.20dependency.20updates.3F.html#221223925">(Dec 30 2020 at 16:16)</a>:</h4>
<p>FWIW <code>foo = '1.x.y'</code> does <em>not</em> freeze that specific version</p>



<a name="221223929"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Cargo.toml%20dependency%20updates%3F/near/221223929" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Cargo.2Etoml.20dependency.20updates.3F.html#221223929">(Dec 30 2020 at 16:16)</a>:</h4>
<p>you need <code>foo = '=1.x.y'</code> for that</p>



<a name="221223938"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Cargo.toml%20dependency%20updates%3F/near/221223938" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Joshua Nelson <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Cargo.2Etoml.20dependency.20updates.3F.html#221223938">(Dec 30 2020 at 16:16)</a>:</h4>
<p>the first one just says "at least 1.x.y and less than 2.0"</p>



<a name="221226612"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Cargo.toml%20dependency%20updates%3F/near/221226612" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> bjorn3 <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Cargo.2Etoml.20dependency.20updates.3F.html#221226612">(Dec 30 2020 at 16:57)</a>:</h4>
<p>You should almost always avoid <code>=</code> dependencies as cargo will give an error when a crate is dependent on multiple times with semver compatible versions, but where an <code>=</code> dependency uses a version that is not compatible with all other dependencies. For example one crate depends on <code>=1.0.0</code> and another crate depends on <code>1.1.0</code>. The allowed versions are then <code>&gt;=1.1.0 &amp;&amp; &lt;2.0.0</code>, but <code>=1.0.0</code> conflicts with this. Depending on <code>0.1</code> and <code>0.2</code> is fine, as those aren't semver compatible anyway, so cargo won't try to unify them.</p>



<a name="221226700"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Cargo.toml%20dependency%20updates%3F/near/221226700" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> bjorn3 <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Cargo.2Etoml.20dependency.20updates.3F.html#221226700">(Dec 30 2020 at 16:58)</a>:</h4>
<p><code>=</code> dependencies should pretty much only be used for either private dependencies that other crates shouldn't depend on anyway.</p>



<a name="221227798"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Cargo.toml%20dependency%20updates%3F/near/221227798" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mark Drobnak <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Cargo.2Etoml.20dependency.20updates.3F.html#221227798">(Dec 30 2020 at 17:10)</a>:</h4>
<p>It sounds like the list of requirements are perfectly satisfied by using Dependabot, assuming you're on GitHub</p>



<a name="221415337"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Cargo.toml%20dependency%20updates%3F/near/221415337" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Dirkjan Ochtman <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Cargo.2Etoml.20dependency.20updates.3F.html#221415337">(Jan 02 2021 at 20:11)</a>:</h4>
<p>Except that dependabot doesn't do semver, so it'll happily send you PRs for every micro update to every dependency you have</p>



<a name="221415457"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/122651-general/topic/Cargo.toml%20dependency%20updates%3F/near/221415457" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Steven Fackler <a href="https://rust-lang.github.io/zulip_archive/stream/122651-general/topic/Cargo.2Etoml.20dependency.20updates.3F.html#221415457">(Jan 02 2021 at 20:14)</a>:</h4>
<p>That is only the case if you have a lockfile afaik</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>